/*
* @implemented
*/
BOOL
WINAPI
Module32First(HANDLE hSnapshot, LPMODULEENTRY32 lpme)
{
MODULEENTRY32W me;
BOOL Ret;
CHECK_PARAM_SIZEA(lpme, sizeof(MODULEENTRY32));
me.dwSize = sizeof(MODULEENTRY32W);
Ret = Module32FirstW(hSnapshot, &me);
if(Ret)
{
lpme->th32ModuleID = me.th32ModuleID;
lpme->th32ProcessID = me.th32ProcessID;
lpme->GlblcntUsage = me.GlblcntUsage;
lpme->ProccntUsage = me.ProccntUsage;
lpme->modBaseAddr = me.modBaseAddr;
lpme->modBaseSize = me.modBaseSize;
lpme->hModule = me.hModule;
WideCharToMultiByte(CP_ACP, 0, me.szModule, -1, lpme->szModule, sizeof(lpme->szModule), 0, 0);
WideCharToMultiByte(CP_ACP, 0, me.szExePath, -1, lpme->szExePath, sizeof(lpme->szExePath), 0, 0);
}
return Ret;
}
BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile) {
BOOL fOk = FALSE; // Assume that the function fails
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try {
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == NULL) __leave;
// Get the HMODULE of the desired library
MODULEENTRY32W me = { sizeof(me) };
BOOL fFound = FALSE;
BOOL fMoreMods = Module32FirstW(hthSnapshot, &me);
for (; fMoreMods; fMoreMods = Module32NextW(hthSnapshot, &me)) {
fFound = (lstrcmpiW(me.szModule, pszLibFile) == 0) ||
(lstrcmpiW(me.szExePath, pszLibFile) == 0);
if (fFound) break;
}
if (!fFound) __leave;
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION | // Required by Alpha
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId);
if (hProcess == NULL) __leave;
// Get the real address of LoadLibraryW in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
if (pfnThreadRtn == NULL) __leave;
// Create a remote thread that calls LoadLibraryW(DLLPathname)
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) __leave;
// Wait for the remote thread to terminate
if (WaitForSingleObject(hThread, INJLIB_WAITTIMEOUT)!=WAIT_OBJECT_0)
fOk=FALSE;
else
fOk = TRUE; // Everything executed successfully
}
__finally { // Now we can clean everything up
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(fOk);
}
// Ejects a module (fully qualified path) via process id
void Injector::EjectLib(DWORD ProcID, const std::wstring& Path)
{
// Grab a new snapshot of the process
EnsureCloseHandle Snapshot(CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcID));
if (Snapshot == INVALID_HANDLE_VALUE)
throw std::runtime_error("Could not get module snapshot for remote process.");;
// Get the HMODULE of the desired library
MODULEENTRY32W ModEntry = { sizeof(ModEntry) };
bool Found = false;
BOOL bMoreMods = Module32FirstW(Snapshot, &ModEntry);
for (; bMoreMods; bMoreMods = Module32NextW(Snapshot, &ModEntry))
{
std::wstring ModuleName(ModEntry.szModule);
std::wstring ExePath(ModEntry.szExePath);
Found = (ModuleName == Path || ExePath == Path);
if (Found) break;
}
if (!Found)
throw std::runtime_error("Could not find module in remote process.");;
// Get a handle for the target process.
EnsureCloseHandle Process(OpenProcess(
PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, ProcID));
if (!Process)
throw std::runtime_error("Could not get handle to process.");
// Get the real address of LoadLibraryW in Kernel32.dll
HMODULE hKernel32 = GetModuleHandle(TEXT("Kernel32"));
if (hKernel32 == NULL)
throw std::runtime_error("Could not get handle to Kernel32.");
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(hKernel32, "FreeLibrary");
if (pfnThreadRtn == NULL)
throw std::runtime_error("Could not get pointer to FreeLibrary.");
// Create a remote thread that calls FreeLibrary()
EnsureCloseHandle Thread(CreateRemoteThread(Process, NULL, 0,
pfnThreadRtn, ModEntry.modBaseAddr, 0, NULL));
if (!Thread)
throw std::runtime_error("Could not create thread in remote process.");
// Wait for the remote thread to terminate
WaitForSingleObject(Thread, INFINITE);
// Get thread exit code
DWORD ExitCode;
if (!GetExitCodeThread(Thread,&ExitCode))
throw std::runtime_error("Could not get thread exit code.");
// Check LoadLibrary succeeded and returned a module base
if(!ExitCode)
throw std::runtime_error("Call to FreeLibrary in remote process failed.");
}
bool WINAPI PluginLoader::DLLEjecteurW(DWORD dwPid,PWSTR szDLLPath)
{
/* Search address of module */
MODULEENTRY32W meModule;
meModule.dwSize = sizeof(meModule);
HANDLE hSnapshot = NULL;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPid);
if(hSnapshot == NULL)
return false;
/* Search the right modules of the process */
Module32FirstW(hSnapshot, &meModule);
do{
if((lstrcmpiW(meModule.szModule,szDLLPath) == 0) || (lstrcmpiW(meModule.szExePath,szDLLPath) == 0))break;
}while(Module32NextW(hSnapshot, &meModule));
/* Get handle of the process */
HANDLE hProcess;
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false,dwPid);
if(hProcess == NULL)
{
CloseHandle(hSnapshot);
return false;
}
LPTHREAD_START_ROUTINE lpthThreadFunction;
/* Get addresse of FreeLibrary in kernel32.dll */
lpthThreadFunction = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "FreeLibrary");
if(lpthThreadFunction == NULL)
{
CloseHandle(hProcess);
CloseHandle(hSnapshot);
return false;
}
/* Creation the remote thread */
DWORD dwThreadID = 0;
HANDLE hThread = NULL;
hThread = CreateRemoteThread(hProcess, NULL, 0, lpthThreadFunction,meModule.modBaseAddr, 0, &dwThreadID);
if(hThread == NULL)
{
CloseHandle(hSnapshot);
CloseHandle(hProcess);
return false;
}
WaitForSingleObject(hThread,INFINITE);
CloseHandle(hProcess);
CloseHandle(hThread);
return true;
}
std::wstring DebugHelper::DumpModules(uint32 processId) const {
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, processId);
if (hSnapshot == INVALID_HANDLE_VALUE)
throw std::runtime_error("Could not create module snapshot!");
std::wostringstream strmModules;
MODULEENTRY32W moduleEntry = {0};
moduleEntry.dwSize = sizeof(moduleEntry);
if (Module32FirstW(hSnapshot, &moduleEntry) != FALSE) {
do if (moduleEntry.th32ProcessID == processId) {
strmModules << L" 0x" << std::hex << std::uppercase
<< reinterpret_cast<void*>(moduleEntry.modBaseAddr) << L": "
<< (moduleEntry.szModule != nullptr ? moduleEntry.szModule : L"<null>");
if (moduleEntry.szExePath != nullptr) {
DWORD dwVersionInfoHandle = 0;
DWORD dwVersionInfoSize = GetFileVersionInfoSizeW(moduleEntry.szExePath, &dwVersionInfoHandle);
UINT fileInfoSize = 0;
VS_FIXEDFILEINFO *pFileInfo = nullptr;
Utils::ByteBuffer versionInfoBuffer(dwVersionInfoSize);
if (dwVersionInfoSize != 0 &&
GetFileVersionInfoW(moduleEntry.szExePath, dwVersionInfoHandle,
dwVersionInfoSize, versionInfoBuffer.data()) != FALSE &&
VerQueryValueW(versionInfoBuffer.data(), L"\\",
reinterpret_cast<LPVOID*>(&pFileInfo), &fileInfoSize) != FALSE &&
fileInfoSize >= sizeof(VS_FIXEDFILEINFO))
{
// Output file version string...
strmModules << L" (" << std::dec
<< HIWORD(pFileInfo->dwFileVersionMS) << L'.'
<< LOWORD(pFileInfo->dwFileVersionMS) << L'.'
<< HIWORD(pFileInfo->dwFileVersionLS) << L'.'
<< LOWORD(pFileInfo->dwFileVersionLS) << L')';
}
}
strmModules << L"\r\n";
}
while (Module32NextW(hSnapshot, &moduleEntry) != FALSE);
}
CloseHandle(hSnapshot);
return strmModules.str();
}
BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile)
{
BOOL fOk = FALSE;
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try
{
//нужен будет base address на pszLibFile, берем его HMODULE (MODULEENTRY32W)
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == NULL) __leave;
MODULEENTRY32W me = { sizeof(me) };
BOOL fFound = FALSE;
BOOL fMoreMods = Module32FirstW(hthSnapshot, &me);
for (; fMoreMods; fMoreMods = Module32NextW(hthSnapshot, &me))
{
fFound = (lstrcmpiW(me.szModule, pszLibFile) == 0) || (lstrcmpiW(me.szExePath, pszLibFile) == 0);
if (fFound) break;
}
if (!fFound) __leave;
hProcess = OpenProcess(
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION,
FALSE, dwProcessId);
if (hProcess == NULL) __leave;
//выгружаем dll (FreeLibrary) из удаленного процесса
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE) GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
if (pfnThreadRtn == NULL) __leave;
hThread = CreateRemoteThread(hProcess, NULL, 0, pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) __leave;
WaitForSingleObject(hThread, INFINITE);
fOk = TRUE;
}
__finally
{
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(fOk);
}
std::wstring tools::GetWNDProcName(HWND hwnd)
{
DWORD dwPID;
GetWindowThreadProcessId(hwnd, &dwPID);
HANDLE hTH = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwPID);
if (hTH != INVALID_HANDLE_VALUE)
{
MODULEENTRY32W me = { sizeof(MODULEENTRY32W) };
if (Module32FirstW(hTH, &me))
{
WCHAR *procPath = me.szExePath;
int pos = -1;
for (size_t i = 0; i < MAX_PATH; ++i)
{
if (procPath[i] == '\\')
{
pos = i;
}
}
if (pos == -1)
{
return wstrUnknown;
}
else
{
WCHAR *procName = &procPath[pos + 1];
if (procName[0] == 0)
{
return wstrUnknown;
}
else
{
return procName;
}
}
}
CloseHandle(hTH);
}
return wstrUnknown;
}
std::set<wxString, wxStringOrdinalComparator> ProcessManager::GetModulesForProcessIdInternalV3(int processID, DWORD& resultCode)
{
unique_handle hProcessSnap(CreateToolhelp32Snapshot(TH32CS_SNAPALL | TH32CS_SNAPMODULE32 | TH32CS_SNAPPROCESS, 0));
if (hProcessSnap.get() == INVALID_HANDLE_VALUE)
return set<wxString, wxStringOrdinalComparator>();
MODULEENTRY32W me32;
me32.dwSize = sizeof(MODULEENTRY32W);
if (!Module32FirstW(hProcessSnap.get(), &me32))
{
return set<wxString, wxStringOrdinalComparator>();
}
set<wxString, wxStringOrdinalComparator> resultList;
do
{
resultList.insert(me32.szExePath);
} while (Module32NextW(hProcessSnap.get(), &me32));
return move(resultList);
}
WCHAR* GetWndFileName(HWND hWnd)
{
WCHAR* szName=(WCHAR*)malloc(MAX_PATH*2+1);
DWORD dwPID = 0;
GetWindowThreadProcessId( hWnd, &dwPID);
HANDLE hTH = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID);
if ( hTH != INVALID_HANDLE_VALUE)
{
MODULEENTRY32W me = { sizeof( MODULEENTRY32W) };
if ( Module32FirstW( hTH, &me))
{
lstrcpyW(szName,me.szModule);
//sprintf(szName,"[%s]\n",me.szExePath);
}
CloseHandle( hTH);
}
return szName;
}
/*
=======================================
模块枚举
=======================================
*/
CR_API UINT WINAPI
ModuleList (
__CR_IN__ DWORD prcss_id,
__CR_OT__ MODULEENTRY32W** list
)
{
BOOL goon;
HANDLE snap;
MODULEENTRY32W temp;
/* 取得指定进程的所有模块信息 */
snap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, prcss_id);
if (snap == INVALID_HANDLE_VALUE)
return (0);
std::vector<MODULEENTRY32W> vlist;
/* 枚举进程 */
temp.dwSize = sizeof(MODULEENTRY32W);
goon = Module32FirstW(snap, &temp);
while (goon) {
vlist.push_back(temp);
temp.dwSize = sizeof(MODULEENTRY32W);
goon = Module32NextW(snap, &temp);
}
CloseHandle(snap);
size_t size = vlist.size();
/* 返回进程列表 */
if (size == 0)
return (0);
size *= sizeof(MODULEENTRY32W);
*list = (MODULEENTRY32W*)mem_malloc(size);
if (*list == NULL)
return (0);
memcpy(*list, &vlist[0], size);
return (vlist.size());
}
static void OutputStackTrace(DWORD exceptionCode, const PVOID* addrOffsets)
{
WCHAR path[MAX_PATH + 4];
path[GetModuleFileName(NULL, path, MAX_PATH)] = L'\0';
lstrcat(path, L".err");
HANDLE hFile = CreateFile(path, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE ){
char buff[384];
DWORD written;
int len = wsprintfA(buff, "ExceptionCode = 0x%08X\r\n", exceptionCode);
WriteFile(hFile, buff, len, &written, NULL);
for( int i = 0; addrOffsets[i]; i++ ){
SYMBOL_INFO symbol[1 + (256 + sizeof(SYMBOL_INFO)) / sizeof(SYMBOL_INFO)];
symbol->SizeOfStruct = sizeof(SYMBOL_INFO);
symbol->MaxNameLen = 256;
DWORD64 displacement;
if( SymFromAddr(GetCurrentProcess(), (DWORD64)addrOffsets[i], &displacement, symbol) ){
len = wsprintfA(buff, "Trace%02d 0x%p = 0x%p(%s) + 0x%X\r\n", i, addrOffsets[i], (PVOID)symbol->Address, symbol->Name, (DWORD)displacement);
}else{
len = wsprintfA(buff, "Trace%02d 0x%p = ?\r\n", i, addrOffsets[i]);
}
WriteFile(hFile, buff, len, &written, NULL);
}
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);
if( hSnapshot != INVALID_HANDLE_VALUE ){
MODULEENTRY32W modent;
modent.dwSize = sizeof(modent);
if( Module32FirstW(hSnapshot, &modent) ){
do{
len = wsprintfA(buff, "0x%p - 0x%p = %S\r\n", modent.modBaseAddr, modent.modBaseAddr + modent.modBaseSize - 1, modent.szModule);
WriteFile(hFile, buff, len, &written, NULL);
}while( Module32NextW(hSnapshot, &modent) );
}
CloseHandle(hSnapshot);
}
CloseHandle(hFile);
}
}
/*
=======================================
DLL 卸载
=======================================
*/
CR_API UINT WINAPI
FreeDllModule (
__CR_IN__ DWORD prcss_id,
__CR_IN__ LPCWSTR dll_name
)
{
HANDLE snapshot;
HANDLE thread, process;
MODULEENTRY32W mod = { sizeof(mod) };
/* 取得指定进程的所有模块信息 */
snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, prcss_id);
if (snapshot == INVALID_HANDLE_VALUE)
return (HLB_ERROR);
BOOL found;
/* 循环取得想要的模块 */
found = Module32FirstW(snapshot, &mod);
if (!found) {
CloseHandle(snapshot);
return (HLB_ERROR);
}
for (; found; found = Module32NextW(snapshot, &mod)) {
if (lstrcmpW(mod.szExePath, dll_name) == 0 ||
lstrcmpW(mod.szModule, dll_name) == 0)
break;
}
if (!found) {
CloseHandle(snapshot);
return (HLB_ERROR);
}
/* 打开进程 */
process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, prcss_id);
if (process == NULL) {
CloseHandle(snapshot);
return (HLB_ERROR);
}
HMODULE krnl;
PTHREAD_START_ROUTINE func;
/* 取得 FreeLibrary 函数在 kernel32.dll 中的地址 */
krnl = GetModuleHandleW(L"kernel32.dll");
func = (PTHREAD_START_ROUTINE)GetProcAddress(krnl, "FreeLibrary");
if (func == NULL) {
CloseHandle(process);
CloseHandle(snapshot);
return (HLB_ERROR);
}
/* 创建远程线程来执行 FreeLibrary 函数 */
thread = CreateRemoteThread(process, NULL, 0, func,
mod.modBaseAddr, 0, NULL);
if (thread == NULL) {
CloseHandle(process);
CloseHandle(snapshot);
return (HLB_ERROR);
}
/* 等待线程返回 */
WaitForSingleObject(thread, INFINITE);
/* 关闭句柄 */
CloseHandle(thread);
CloseHandle(process);
CloseHandle(snapshot);
return (HLB_OKAY);
}
BOOL WINAPI EjectLibW(DWORD dwProcessId, PCWSTR pszLibFile)
{
BOOL bOk = FALSE; // Assume that the function fails
HANDLE hthSnapshot = NULL;
HANDLE hProcess = NULL, hThread = NULL;
__try
{
// Grab a new snapshot of the process
hthSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, dwProcessId);
if (hthSnapshot == INVALID_HANDLE_VALUE) __leave;
// Get the HMODULE of the desired library
MODULEENTRY32W me = { sizeof(me) };
BOOL bFound = FALSE;
BOOL bMoreMods = Module32FirstW(hthSnapshot, &me);
for (; bMoreMods; bMoreMods = Module32NextW(hthSnapshot, &me))
{
bFound = (_wcsicmp(me.szModule, pszLibFile) == 0) ||
(_wcsicmp(me.szExePath, pszLibFile) == 0);
if (bFound) break;
}
if (!bFound) __leave;
// Get a handle for the target process.
hProcess = OpenProcess(
PROCESS_QUERY_INFORMATION |
PROCESS_CREATE_THREAD |
PROCESS_VM_OPERATION, // For CreateRemoteThread
FALSE, dwProcessId);
if (hProcess == NULL) __leave;
// Get the real address of FreeLibrary in Kernel32.dll
PTHREAD_START_ROUTINE pfnThreadRtn = (PTHREAD_START_ROUTINE)
GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "FreeLibrary");
if (pfnThreadRtn == NULL) __leave;
// Create a remote thread that calls FreeLibrary()
hThread = CreateRemoteThread(hProcess, NULL, 0,
pfnThreadRtn, me.modBaseAddr, 0, NULL);
if (hThread == NULL) __leave;
// Wait for the remote thread to terminate
WaitForSingleObject(hThread, INFINITE);
bOk = TRUE; // Everything executed successfully
}
__finally // Now we can clean everything up
{
if (hthSnapshot != NULL)
CloseHandle(hthSnapshot);
if (hThread != NULL)
CloseHandle(hThread);
if (hProcess != NULL)
CloseHandle(hProcess);
}
return(bOk);
}
